Edit tour

Windows Analysis Report
https://welsfargo.com-onlinebanking.com/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p

Overview

General Information

Sample URL:https://welsfargo.com-onlinebanking.com/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems
Analysis ID:1649704
Infos:

Detection

KnowBe4
Score:56
Range:0 - 100
Confidence:100%

Signatures

Yara detected KnowBe4 simulated phishing
AI detected suspicious Javascript
AI detected suspicious URL
Creates files inside the system directory
Deletes files inside the Windows folder

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • chrome.exe (PID: 6288 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 6480 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1984,i,12213766920877306329,2707875683570504114,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • chrome.exe (PID: 7116 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://welsfargo.com-onlinebanking.com/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09?cid=2460659214" MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup
SourceRuleDescriptionAuthorStrings
1.0.pages.csvJoeSecurity_KnowBe4Yara detected KnowBe4 simulated phishingJoe Security
    No Sigma rule has matched
    No Suricata rule has matched

    Click to jump to signature section

    Show All Signature Results

    Phishing

    barindex
    Source: Yara matchFile source: 1.0.pages.csv, type: HTML
    Source: 0.0..script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: https://welsfargo.com-onlinebanking.com/Xdm5ISUlpb... This script exhibits high-risk behavior by redirecting the user to a suspicious and heavily obfuscated URL, which is a common tactic used in phishing and malware attacks. The obfuscated URL suggests an attempt to hide the true destination, which is likely a malicious website designed to steal user credentials or other sensitive information. This level of obfuscation and the lack of transparency around the destination URL are strong indicators of malicious intent, warranting a high-risk score.
    Source: https://welsfargo.com-onlinebanking.comJoe Sandbox AI: The URL 'https://welsfargo.com-onlinebanking.com' appears to be a typosquatting attempt targeting the well-known financial institution Wells Fargo. The legitimate URL for Wells Fargo is 'https://www.wellsfargo.com'. The analyzed URL uses a visual character substitution by omitting the second 'l' in 'wells', resulting in 'wels'. Additionally, the structure of the URL includes a misleading subdomain 'com-onlinebanking', which could confuse users into thinking it is a legitimate online banking service of Wells Fargo. The use of 'com-onlinebanking.com' as a domain extension is designed to mimic a legitimate service, increasing the likelihood of user confusion. The high similarity score is due to the close resemblance to the legitimate brand name and the deceptive structural elements. The likelihood of this being a typosquatting attempt is very high, given the visual and structural similarities aimed at misleading users.
    Source: https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09HTTP Parser: No favicon
    Source: unknownHTTPS traffic detected: 44.214.113.176:443 -> 192.168.2.16:49703 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 44.214.113.176:443 -> 192.168.2.16:49702 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 44.196.92.142:443 -> 192.168.2.16:49708 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 44.196.92.142:443 -> 192.168.2.16:49707 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 52.85.61.102:443 -> 192.168.2.16:49714 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 52.85.61.102:443 -> 192.168.2.16:49716 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 52.85.61.102:443 -> 192.168.2.16:49715 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 52.217.12.212:443 -> 192.168.2.16:49713 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.17.249.203:443 -> 192.168.2.16:49717 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.72.100:443 -> 192.168.2.16:49718 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 54.91.212.60:443 -> 192.168.2.16:49721 version: TLS 1.2
    Source: chrome.exeMemory has grown: Private usage: 23MB later: 40MB
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
    Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
    Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
    Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
    Source: unknownTCP traffic detected without corresponding DNS query: 208.89.73.21
    Source: unknownTCP traffic detected without corresponding DNS query: 208.89.73.21
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.64.67
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.64.67
    Source: unknownTCP traffic detected without corresponding DNS query: 208.89.73.21
    Source: global trafficHTTP traffic detected: GET /Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09?cid=2460659214 HTTP/1.1Host: welsfargo.com-onlinebanking.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09 HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://welsfargo.com-onlinebanking.com/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09?cid=2460659214Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /assets/landing-watermark-8487e36eef1bec74f06631f19fea0aa171c208e2976373cda5bd0a4b9e230903.css HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /assets/application-b8fb25919f68be551e6730684a8ed34bc7dd2dac142e7cc51ebf7b09c48546d5.js HTTP/1.1Host: training.knowbe4.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /packs/js/vendor-954761ad0dceb106b971.js HTTP/1.1Host: training.knowbe4.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /assets/application-237cb5c4f318687625f8ccf2f42de3fc20238bfe267384653491a6bba8c8f6f5.js HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /assets/modernizr-79e0181ec91aff04bb01d87cba546535ede843f75d19f5c60f66b8dd6546971f.js HTTP/1.1Host: training.knowbe4.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /landing_pages/oops/styles.css HTTP/1.1Host: helpimg.s3.amazonaws.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: text/css,*/*;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleSec-Fetch-Storage-Access: activeReferer: https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /petite-vue HTTP/1.1Host: unpkg.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /petite-vue@0.4.1/dist/petite-vue.iife.js HTTP/1.1Host: unpkg.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: secured-login.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficDNS traffic detected: DNS query: welsfargo.com-onlinebanking.com
    Source: global trafficDNS traffic detected: DNS query: secured-login.net
    Source: global trafficDNS traffic detected: DNS query: helpimg.s3.amazonaws.com
    Source: global trafficDNS traffic detected: DNS query: training.knowbe4.com
    Source: global trafficDNS traffic detected: DNS query: unpkg.com
    Source: global trafficDNS traffic detected: DNS query: www.google.com
    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
    Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49679 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
    Source: unknownHTTPS traffic detected: 44.214.113.176:443 -> 192.168.2.16:49703 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 44.214.113.176:443 -> 192.168.2.16:49702 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 44.196.92.142:443 -> 192.168.2.16:49708 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 44.196.92.142:443 -> 192.168.2.16:49707 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 52.85.61.102:443 -> 192.168.2.16:49714 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 52.85.61.102:443 -> 192.168.2.16:49716 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 52.85.61.102:443 -> 192.168.2.16:49715 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 52.217.12.212:443 -> 192.168.2.16:49713 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.17.249.203:443 -> 192.168.2.16:49717 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.72.100:443 -> 192.168.2.16:49718 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 54.91.212.60:443 -> 192.168.2.16:49721 version: TLS 1.2
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir6288_1039117786
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir6288_1039117786
    Source: classification engineClassification label: mal56.phis.win@23/8@14/131
    Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1984,i,12213766920877306329,2707875683570504114,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:3
    Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://welsfargo.com-onlinebanking.com/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09?cid=2460659214"
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1984,i,12213766920877306329,2707875683570504114,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:3
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: Window RecorderWindow detected: More than 3 window changes detected
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation2
    Browser Extensions
    1
    Process Injection
    1
    Masquerading
    OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
    Encrypted Channel
    Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    Extra Window Memory Injection
    1
    Process Injection
    LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media2
    Non-Application Layer Protocol
    Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
    File Deletion
    Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive3
    Application Layer Protocol
    Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Extra Window Memory Injection
    NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
    Ingress Tool Transfer
    Traffic DuplicationData Destruction

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    https://welsfargo.com-onlinebanking.com/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09?cid=24606592140%Avira URL Cloudsafe
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    SourceDetectionScannerLabelLink
    https://training.knowbe4.com/packs/js/vendor-954761ad0dceb106b971.js0%Avira URL Cloudsafe
    https://training.knowbe4.com/assets/application-b8fb25919f68be551e6730684a8ed34bc7dd2dac142e7cc51ebf7b09c48546d5.js0%Avira URL Cloudsafe
    https://training.knowbe4.com/assets/modernizr-79e0181ec91aff04bb01d87cba546535ede843f75d19f5c60f66b8dd6546971f.js0%Avira URL Cloudsafe
    NameIPActiveMaliciousAntivirus DetectionReputation
    s3-w.us-east-1.amazonaws.com
    52.217.12.212
    truefalse
      high
      www.google.com
      142.250.72.100
      truefalse
        high
        training.knowbe4.com
        52.85.61.102
        truefalse
          high
          secured-login.net
          44.196.92.142
          truefalse
            high
            unpkg.com
            104.17.249.203
            truefalse
              high
              landing.training.knowbe4.com
              44.214.113.176
              truefalse
                high
                helpimg.s3.amazonaws.com
                unknown
                unknownfalse
                  high
                  welsfargo.com-onlinebanking.com
                  unknown
                  unknowntrue
                    unknown
                    NameMaliciousAntivirus DetectionReputation
                    https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09false
                      unknown
                      https://welsfargo.com-onlinebanking.com/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09?cid=2460659214true
                        unknown
                        https://secured-login.net/favicon.icofalse
                          high
                          https://secured-login.net/assets/landing-watermark-8487e36eef1bec74f06631f19fea0aa171c208e2976373cda5bd0a4b9e230903.cssfalse
                            high
                            https://training.knowbe4.com/assets/application-b8fb25919f68be551e6730684a8ed34bc7dd2dac142e7cc51ebf7b09c48546d5.jsfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://training.knowbe4.com/packs/js/vendor-954761ad0dceb106b971.jsfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://helpimg.s3.amazonaws.com/landing_pages/oops/styles.cssfalse
                              high
                              https://unpkg.com/petite-vuefalse
                                high
                                https://secured-login.net/assets/application-237cb5c4f318687625f8ccf2f42de3fc20238bfe267384653491a6bba8c8f6f5.jsfalse
                                  high
                                  https://unpkg.com/petite-vue@0.4.1/dist/petite-vue.iife.jsfalse
                                    high
                                    https://training.knowbe4.com/assets/modernizr-79e0181ec91aff04bb01d87cba546535ede843f75d19f5c60f66b8dd6546971f.jsfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs
                                    IPDomainCountryFlagASNASN NameMalicious
                                    52.217.12.212
                                    s3-w.us-east-1.amazonaws.comUnited States
                                    16509AMAZON-02USfalse
                                    1.1.1.1
                                    unknownAustralia
                                    13335CLOUDFLARENETUSfalse
                                    54.91.212.60
                                    unknownUnited States
                                    14618AMAZON-AESUSfalse
                                    142.251.179.84
                                    unknownUnited States
                                    15169GOOGLEUSfalse
                                    44.196.92.142
                                    secured-login.netUnited States
                                    14618AMAZON-AESUSfalse
                                    52.85.61.102
                                    training.knowbe4.comUnited States
                                    16509AMAZON-02USfalse
                                    44.214.113.176
                                    landing.training.knowbe4.comUnited States
                                    14618AMAZON-AESUSfalse
                                    142.251.40.163
                                    unknownUnited States
                                    15169GOOGLEUSfalse
                                    104.17.249.203
                                    unpkg.comUnited States
                                    13335CLOUDFLARENETUSfalse
                                    142.250.72.100
                                    www.google.comUnited States
                                    15169GOOGLEUSfalse
                                    142.251.35.163
                                    unknownUnited States
                                    15169GOOGLEUSfalse
                                    142.251.35.174
                                    unknownUnited States
                                    15169GOOGLEUSfalse
                                    IP
                                    192.168.2.16
                                    192.168.2.13
                                    Joe Sandbox version:42.0.0 Malachite
                                    Analysis ID:1649704
                                    Start date and time:2025-03-27 00:56:46 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                    Sample URL:https://welsfargo.com-onlinebanking.com/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09?cid=2460659214
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:16
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • EGA enabled
                                    Analysis Mode:stream
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal56.phis.win@23/8@14/131
                                    • Exclude process from analysis (whitelisted): svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 142.251.35.174, 142.251.35.163, 142.251.179.84
                                    • Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, redirector.gvt1.com, clientservices.googleapis.com, clients.l.google.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtOpenFile calls found.
                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                    • VT rate limit hit for: https://welsfargo.com-onlinebanking.com/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09?cid=2460659214
                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                    File Type:ASCII text, with very long lines (65447)
                                    Category:downloaded
                                    Size (bytes):380848
                                    Entropy (8bit):5.202109831427653
                                    Encrypted:false
                                    SSDEEP:
                                    MD5:67A0C4DBD69561F3226243034423F1ED
                                    SHA1:88C1B5C7EBBFA24D8196290206BF544F28EEB406
                                    SHA-256:74B9F1CFE7CAD31AE1C1901200890B76676E6D92AC817641F5EF9BFD552F2110
                                    SHA-512:D5326C46E2FC443AA0C75DB573B39957514BD025235ADB5F16797133394E1AFD0A6458B38DA8220BF7558333E8F2334532FBCC4CD9DD4DD5811AAC403B498542
                                    Malicious:false
                                    Reputation:unknown
                                    URL:https://secured-login.net/assets/application-237cb5c4f318687625f8ccf2f42de3fc20238bfe267384653491a6bba8c8f6f5.js
                                    Preview:/*! jQuery v3.7.1 | (c) OpenJS Foundation and other contributors | jquery.org/license */.!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(ie,e){"use strict";var oe=[],r=Object.getPrototypeOf,ae=oe.slice,g=oe.flat?function(e){return oe.flat.call(e)}:function(e){return oe.concat.apply([],e)},s=oe.push,se=oe.indexOf,n={},i=n.toString,ue=n.hasOwnProperty,o=ue.toString,a=o.call(Object),le={},v=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType&&"function"!=typeof e.item},y=function(e){return null!=e&&e===e.window},C=ie.document,u={type:!0,src:!0,nonce:!0,noModule:!0};function m(e,t,n){var r,i,o=(n=n||C).createElement("script");if(o.text=e,t)for(r in u)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.remove
                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                    File Type:Unicode text, UTF-8 text
                                    Category:downloaded
                                    Size (bytes):5649
                                    Entropy (8bit):5.250605215538956
                                    Encrypted:false
                                    SSDEEP:
                                    MD5:B13B4F098D80AC49DCC6BED4E459D560
                                    SHA1:81FFB3DD594A82F9453D1C45DA812DFC008CAA65
                                    SHA-256:5FC2013E8D4F5A97667A0A5BFEF9A2E148363D89A46BE49F14CB2C60B1461CA9
                                    SHA-512:4FEAEA5336B3E1B7B1D26C5D576C655208955D4C7657B967D11A9D58A3086EB0D087DE53606E0AC4E0F3AEFD9993E616BD7B9B343AE23DEB20477BD7EFD75ECC
                                    Malicious:false
                                    Reputation:unknown
                                    URL:https://helpimg.s3.amazonaws.com/landing_pages/oops/styles.css
                                    Preview::root {..--clr-neutral-100: #ffffff;..--clr-neutral-200: #f5f5f5;..--clr-neutral-300: #d5d5d5;..--clr-neutral-400: #ababab;..--clr-neutral-500: #707070;..--clr-neutral-600: #2c2c2c;.../* Padding */..--padding-xs: clamp(0.5rem, 1.5%, 0.75rem);..--padding-sm: clamp(1rem, 3%, 1.5rem);..--padding-md: clamp(1.5rem, 6%, 3rem);..--padding-lg: clamp(3rem, 12%, 6rem);.../* Margin */..--block-flow-xs: min(1rem, 2vh);..--block-flow-sm: min(2rem, 4vh);..--block-flow-md: min(4rem, 8vh);..--block-flow-lg: min(8rem, 16vh);.../* Font Sizes */.../* @link https://utopia.fyi/type/calculator?c=320,18,1.2,1240,20,1.25,5,2,&s=0.75|0.5|0.25,1.5|2|3|4|6,s-l&g=s,l,xl,12 */.../* Step -1: 15px . 12.003px */..--step--1: clamp(0.7502rem, 1.0027rem + -0.3258vi, 0.9375rem);../* Step 0: 18px . 16px */..--step-0: clamp(1rem, 1.1685rem + -0.2174vi, 1.125rem);../* Step 1: 21.6px . 21.328px */..--step-1: clamp(1.333rem, 1.3559rem + -0.0296vi, 1.35rem);../* Step 2: 25.92px . 28.4302px */..--step-2: clamp(1.62rem,
                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                    File Type:ASCII text, with very long lines (16900)
                                    Category:downloaded
                                    Size (bytes):16901
                                    Entropy (8bit):5.207509946311759
                                    Encrypted:false
                                    SSDEEP:
                                    MD5:A7DB3244C9A6704A3159A38C82207F66
                                    SHA1:CC3B2BF9D2FCC718C86B1ED2AC7D9CD5BA12EF43
                                    SHA-256:774BB8E88B09936246A57F0DFED88A375258A8235B893561C96880411DABC4D5
                                    SHA-512:3197FFB1055735A329D122D6C8EDFA9C12FCCD54E8F22F579A4E79B3C6AE0163391E790429A3F680434309AAECCE1572941EA47DEE321AC080FEAADA2DE3F3B6
                                    Malicious:false
                                    Reputation:unknown
                                    URL:https://unpkg.com/petite-vue@0.4.1/dist/petite-vue.iife.js
                                    Preview:var pn=Object.defineProperty,hn=(e,t,n)=>t in e?pn(e,t,{enumerable:!0,configurable:!0,writable:!0,value:n}):e[t]=n,C=(e,t,n)=>(hn(e,"symbol"!=typeof t?t+"":t,n),n),PetiteVue=function(e){"use strict";function t(e){if(a(e)){const n={};for(let s=0;s<e.length;s++){const i=e[s],o=d(i)?r(i):t(i);if(o)for(const e in o)n[e]=o[e]}return n}return d(e)||g(e)?e:void 0}const n=/;(?![^(]*\))/g,s=/:(.+)/;function r(e){const t={};return e.split(n).forEach((e=>{if(e){const n=e.split(s);n.length>1&&(t[n[0].trim()]=n[1].trim())}})),t}function i(e){let t="";if(d(e))t=e;else if(a(e))for(let n=0;n<e.length;n++){const s=i(e[n]);s&&(t+=s+" ")}else if(g(e))for(const n in e)e[n]&&(t+=n+" ");return t.trim()}function o(e,t){if(e===t)return!0;let n=h(e),s=h(t);if(n||s)return!(!n||!s)&&e.getTime()===t.getTime();if(n=a(e),s=a(t),n||s)return!(!n||!s)&&function(e,t){if(e.length!==t.length)return!1;let n=!0;for(let s=0;n&&s<e.length;s++)n=o(e[s],t[s]);return n}(e,t);if(n=g(e),s=g(t),n||s){if(!n||!s)return!1;if(Object.k
                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                    File Type:HTML document, ASCII text, with very long lines (398)
                                    Category:downloaded
                                    Size (bytes):452
                                    Entropy (8bit):5.787237369982687
                                    Encrypted:false
                                    SSDEEP:
                                    MD5:0CC63B1E9594CB742C10C41002B6C9C2
                                    SHA1:0DB50D1F5A75C26C06ADD92A20E7B942F6DF74D2
                                    SHA-256:43AE2B3B623B53D5CE12C5F99DCE3BCD56EA24A47B2877FAC190D451E38FC19C
                                    SHA-512:E965ACF21654305F4C0F303F94E4481A0F1A10F0CE04684C68755965F90024A381F8DF2954140A8C0C5AD344C968BD4E884178D0ED12731126E686EA1B736671
                                    Malicious:false
                                    Reputation:unknown
                                    URL:https://welsfargo.com-onlinebanking.com/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09?cid=2460659214
                                    Preview:<html>. <head>. <script>window.location.href = 'https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09';</script>. </head>. <body>. </body>.</html>.
                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                    File Type:HTML document, ASCII text
                                    Category:downloaded
                                    Size (bytes):51364
                                    Entropy (8bit):4.630626843010533
                                    Encrypted:false
                                    SSDEEP:
                                    MD5:BF2F96E6233DE3D8C0346085AC28248A
                                    SHA1:4DB267704D7E3FB2489CF96E82862A2245CD9311
                                    SHA-256:EE94DDA0AF1FC5C5045741B39E54136015365EEDCA34095F1D3C666998BB442D
                                    SHA-512:D4DB54380D135D9F5AAA03727CC88037B014C1057A3061C3D173EB8D4CEC7E4A2F71CFCA1478E8E15C093D510EEE80668C2038691EAEB21958942089F0DD9C6C
                                    Malicious:false
                                    Reputation:unknown
                                    URL:https://training.knowbe4.com/assets/modernizr-79e0181ec91aff04bb01d87cba546535ede843f75d19f5c60f66b8dd6546971f.js
                                    Preview:/*!. * Modernizr v2.7.1. * www.modernizr.com. *. * Copyright (c) Faruk Ates, Paul Irish, Alex Sexton. * Available under the BSD and MIT licenses: www.modernizr.com/license/. */../*. * Modernizr tests which native CSS3 and HTML5 features are available in. * the current UA and makes the results available to you in two ways:. * as properties on a global Modernizr object, and as classes on the. * <html> element. This information allows you to progressively enhance. * your pages with a granular level of control over the experience.. *. * Modernizr has an optional (not included) conditional resource loader. * called Modernizr.load(), based on Yepnope.js (yepnopejs.com).. * To get a build that includes Modernizr.load(), as well as choosing. * which tests to include, go to www.modernizr.com/download/. *. * Authors Faruk Ates, Paul Irish, Alex Sexton. * Contributors Ryan Seddon, Ben Alman. */..window.Modernizr = (function( window, document, undefined ) {.. var version = '2.7.1',..
                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                    File Type:ASCII text
                                    Category:downloaded
                                    Size (bytes):3205083
                                    Entropy (8bit):5.067660187114562
                                    Encrypted:false
                                    SSDEEP:
                                    MD5:F1232635B40CBFAE664CA09BA03FC9C3
                                    SHA1:C70240DA2684DB0184AB4C123B7F686035A8FB93
                                    SHA-256:55644838E3E24BB2ED95B03654F6BC0AB4B5725F73BD9E6656C50AB8441194FF
                                    SHA-512:FB466E90765EB7D07AD12D8FFF42926F9C86CE41EDFB36254B1EE180221B5429624B711389F0143AA0716DEB113DB1BE9954E9A4FAF49151A6C19867512BB064
                                    Malicious:false
                                    Reputation:unknown
                                    URL:https://training.knowbe4.com/assets/application-b8fb25919f68be551e6730684a8ed34bc7dd2dac142e7cc51ebf7b09c48546d5.js
                                    Preview:/*!. * jQuery JavaScript Library v1.12.4. * http://jquery.com/. *. * Includes Sizzle.js. * http://sizzlejs.com/. *. * Copyright jQuery Foundation and other contributors. * Released under the MIT license. * http://jquery.org/license. *. * Date: 2016-05-20T17:17Z. */..(function( global, factory ) {...if ( typeof module === "object" && typeof module.exports === "object" ) {...// For CommonJS and CommonJS-like environments where a proper `window`...// is present, execute the factory and get jQuery....// For environments that do not have a `window` with a `document`...// (such as Node.js), expose a factory as module.exports....// This accentuates the need for the creation of a real `window`....// e.g. var jQuery = require("jquery")(window);...// See ticket #14549 for more info....module.exports = global.document ?....factory( global, true ) :....function( w ) {.....if ( !w.document ) {......throw new Error( "jQuery requires a window with a document" );.....}.....return factory( w );....};..
                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                    File Type:HTML document, Unicode text, UTF-8 text, with very long lines (382)
                                    Category:downloaded
                                    Size (bytes):75074
                                    Entropy (8bit):6.138406589178574
                                    Encrypted:false
                                    SSDEEP:
                                    MD5:D8798AAE777F6C93C53155F081A8C8EA
                                    SHA1:81B8A61366B8F08C3D3A8A2E1CFE499CEC5521B8
                                    SHA-256:69FEB31D20F8340079383EB02BD89606E55D53476E2C1A9D70646E3A19FE4A25
                                    SHA-512:495DAB5208A42596D39852997A20433395648AE68D384EE13AB648D5EBF8C936B2E903F19CA8918E6E70D8DEEF1D036AC6962EA5C58B696A5D7F07146E274239
                                    Malicious:false
                                    Reputation:unknown
                                    URL:https://secured-login.net/pages/c3955b1c48a/Xdm5ISUlpbzhtdFAzRVBKQis5SC96Wk5RNzBQMDI0K2pXZDZtU3IrdmVBTmtxdTdIa3NodG8rOWJKT1p2aytkWWJwQ1hMakhFQUhzSUp6ZXhOandHZmhWcDlybnFkS3RYMFhMNDBMWFFmWklmTTlnZUdpWjBBems0TWR1bE1aalVyenFJdXdTcFJZMEs2Ny9IK1R4VnA5Mlp6WXBXVWxFN1dWT2gxbmFKdzZVOUpOanpCeUdwa05SYi0tOFVyY1ZOb3p0akVSTERtby0tQkdyM1FiQ05wWXdxZzZoOHZ2dkFsZz09
                                    Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">. <meta name="IMPORTANT" content="This page is part of a simulated phishing attack initiated by KnowBe4 on behalf of its customers." />. <meta name="IMPORTANT" content="If you have any questions please contact support@knowbe4.com." />. <meta content="IE=edge,chrome=1" http-equiv="X-UA-Compatible"/>. <meta name="robots" content="noindex, nofollow" />.. <head>. <script src="/assets/application-237cb5c4f318687625f8ccf2f42de3fc20238bfe267384653491a6bba8c8f6f5.js"></script>.. <link rel="stylesheet" href="/assets/landing-watermark-8487e36eef1bec74f06631f19fea0aa171c208e2976373cda5bd0a4b9e230903.css" media="all" />.. </head>. .......<meta charset="UTF-8">...<meta name="viewport" content="width=device-width, initial-scale=1.0">... Stylesheet for default styles -->...<link rel="stylesheet" href="https://helpimg
                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                    File Type:ASCII text
                                    Category:downloaded
                                    Size (bytes):1471
                                    Entropy (8bit):4.754611179426391
                                    Encrypted:false
                                    SSDEEP:
                                    MD5:15E89F9684B18EC43EE51F8D62A787C3
                                    SHA1:9CBAAACEAE96845ECD3497F41EE3B02588ABEC11
                                    SHA-256:16F13E16A7EF02FB6F94250AA1931DED83DBEE5D9FAD278E33DD5792D085194F
                                    SHA-512:79E0110A045F28437D192290AC9789270CB0D4E676A985564746DB439992D867BA89639D7738E2A7F7D83BBF37D9A02CAA2AE1DC4E0EE2519797E5840A47FABE
                                    Malicious:false
                                    Reputation:unknown
                                    URL:https://secured-login.net/assets/landing-watermark-8487e36eef1bec74f06631f19fea0aa171c208e2976373cda5bd0a4b9e230903.css
                                    Preview:/* line 1, app/assets/stylesheets/landing-watermark.scss */..watermark {. -webkit-writing-mode: vertical-rl;. -ms-writing-mode: tb-rl;. writing-mode: vertical-rl;. text-orientation: sideways;.}../* line 4, app/assets/stylesheets/landing-watermark.scss */..watermark.left {. left: 0;.}../* line 7, app/assets/stylesheets/landing-watermark.scss */..watermark.right {. right: 0;.}../* line 10, app/assets/stylesheets/landing-watermark.scss */..watermark.top {. text-align: center;. -webkit-writing-mode: horizontal-tb;. -ms-writing-mode: lr-tb;. writing-mode: horizontal-tb;. top: -38px;.}../* line 15, app/assets/stylesheets/landing-watermark.scss */..watermark h1 {. -webkit-user-select: none;. -moz-user-select: none;. -ms-user-select: none;. user-select: none;. font-size: 15px;. color: #fdfdfa;. font-weight: bold;.}../* line 24, app/assets/stylesheets/landing-watermark.scss */.#template_sei .watermark.left {. margin-left: -10px;.}../* li
                                    No static file info